The Cisco Unity Administrator is a website that is used to perform
administrative tasks, which include tasks to determine system schedules,
specify settings for individual subscribers (or for a group of subscribers with
a subscriber template), and implement a call management plan. Specific issues
exist that can affect the System Administrator (SA) web interface. The purpose
of this document is to provide possible solutions to those issues.

Managing
Cisco Unity Administrator Accounts—Describes the type of accounts that
you can use in order to access the Cisco Unity Administrator and the ways in
which you create additional accounts or grant administrative rights to current
accounts so that they can be used to administer Cisco
Unity.

For more information, refer to the SA Guide for your Cisco Unity
version.

The rest of this document describes SA problems by scenario.

Note: This document focuses on the Exchange mail store, so all information
on mail stores assumes that the Exchange mail store is used.

The information in this document is based on Cisco Unity Versions 3.x
and 4.x.

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

Complete the procedure described in Check the
Application Event Log, and look for Cisco Unity errors. Cisco Unity
errors in the event log include one of our components as a source. Cisco Unity
components usually start with AV.

Use these links in order to search for and view descriptions for those
error messages:

The Force SA into ASP Debugger procedure
described in the Troubleshoot General SA
Issues section of this document provides more information about where
the SA fails when it attempts to load. After you force the SA into ASP
debugger, go into the SA. When the debugger displays, click step
over until the error occurs.

This issue has been reported as a problem with virus checkers and
occurs when the McAfee NetShield service runs with default settings. The
solution is to exclude the Cisco Unity directories from the Antivirus checker.

In order to get real information from the server, be sure to disable
the Show friendly HTTP errors option as described in
Turn Off Client Browser "Show Friendly HTTP errors.
Once the errors are disabled, you will receive the real message, which is
similar to server restarting. Refer to Cisco bug ID
CSCdv46639
(registered customers only)
for more information.

Here is the the workaround for this defect:

For Cisco Unity 3.0(x.x) and later releases, complete these
steps:

Right-click the McAfee NetShield system tray
icon.

Under the Exclusions tab, click
Add.

Enter C:\CommServer\Web\.

Note: If Cisco Unity is not installed in the default location, enter
the directories that correspond to your installation.

These error messages can be caused by an NT LAN Manager (NTLM)
authentication issue. In order to narrow down the problem, rename
\CommServer\Web\Global.asa to Global.asa.bak,
then attempt to access SAWeb. If the error has not changed, this situation
might be a Microsoft IIS issue.

In addition, create a test file named testing.htm
that contains a trivial HTML page, and call it out specifically in the browser.
Change it to an .asp file and see if anything changes.

Also, set IIS Application Protection to Low (IIS Process) if it is not
already. If it is an IIS problem, check the
IWAM_<system-name> configuration as described in
Change IWAM_systemname Permissions.

The Cisco Unity system includes an underscore "_" or exclamation mark
(!) in its name, and a particular Microsoft Internet Explorer (IE) hotfix
(either IE 5.5 or 6.0 with the q313675 patch) begins to enforce RFC compliant
cookies (that is, dashes are permitted; underscores are not permitted).

Unfortunately, the workaround for this defect is to rebuild the system
with non-DNS characters in the server name. You can also use an Internet
Explorer browser that does not include the q313675 patch.

This workaround should be a short term solution because all service
packs for IE will eventually include this fix. Also, you can use the IP address
to browse the system if the server name has non-DNS characters. Note that you
may run into Cisco bug ID
CSCdx55925
(registered customers only)
if you use the IP address.

Note: In all versions of Cisco Unity, error messages might appear when you
use the host name to open the Cisco Unity System Administrator (SA) pages.
However, the error messages do not appear if you use the IP address in the URL.
Therefore, Cisco recommends that you use the IP address in order to
successfully access the SA pages. For example, //<IP Address of
the Unity Server>/SAWeb/Default.htm

Your Cisco Unity system might have been renamed. If this is the case, a
key in the registry might point to a different name than the one it currently
runs. Complete the procedure described in Check System
Name in order to check the system name.

Check that the IIS settings do not have an extraneous system IP in the
Default Website IP Address fields (possibly a system rename issue). Complete
the procedure described in Check the IIS Settings for
IP in order to check the IIS settings.

If the output of either of these commands indicates a problem, then the
problem is not in Cisco Unity. For more information, see DNS/Cross MS "domain" Problem.

In order to make your system work properly, you might need to
explicitly add an entry to your DNS domain for the Cisco Unity server. Refer to
Cisco bug ID
CSCdw59188
(registered customers only)
for more information.

The same situation happens if Cisco Unity returns the login screen when
the authentication should be straight in. You should complete the same
procedure in order to change from anonymous to
Integrated authentication in the same virtual
directories.

If the account you currently use allows you to log on, you should
restart IIS as described in Restart IIS.

This situation could be a DNS issue. When IIS resolves the login
name provided with a DNS server and the service identifier (SID) for the user
is not properly passed to Cisco Unity, then Cisco Unity is not able to look up
the user in the Credentials/SIDHistory table in order to associate it with a
subscriber.

If you have not accessed the SA with this account in the past,
check the mappings of the user SIDs to Cisco Unity accounts on the local box.

If you select view all, you should see all
mappings for the Administrator account. More than one mapping might exist for
this account. If they do not appear, then this is a DNS problem. If they do
appear and they are mapped to an installer account or another subscriber, such
as example admin, this might be an issue with IIS or DNS name
resolution.

This error message might indicate that an unregistered DLL exists or
that the AvSaDbConn.dll is registered, but includes a bad path. In order to
resolve this issue, complete the procedure described in Look Up Registered DLLs.

This error message might indicate that a bad DLL exists. In a few
cases, the Cisco Unity system attempted to start Cisco Unity 4.0 SA with a
Cisco Unity 3.1 AvSaDbConn.dll registered and with a garbage file in place of a
system DLL.

If your system works properly, this error message indicates that you
attempted to exceed the number of concurrent logins allowed. The default value
is 5. You can change this default value in Cisco Unity 3.x and later under this
registry key:

Caution: If you change the wrong registry key or enter an incorrect value, the
server can malfunction. Before you edit the registry, confirm that you know how
to restore the server if a problem occurs. A typical backup of the Cisco Unity
server does not back up the registry. For more information, refer to the
"Restoring the Registry" help topic in Regedit.exe or the "Restoring a Registry
Key" help topic in Regedt32.exe.

SA sessions are configured in IIS to timeout on their own. The default
value is 20 minutes. Complete the procedure described in Change IIS Session Timeout in order to change this
value.

In certain situations, this error might not be valid. The real problem
might be that the user that is logged in does not have sufficient privileges to
access the system registry. In order to check privileges for a user, complete
the procedure described in Check User Privileges.

This error message is returned by Internet Explorer if Cisco Unity SA
is unable to find the server or if the SA is able to find the server, but does
not answer the HTTP request. The reason for this message is possibly bad
DNS/WINS resolution, even if not "remote." In order to troubleshoot this issue,
complete the procedure described in Remote Browser Cannot
Get to the Cisco Unity Server.

Another possible reason is a misconfiguration in the IIS at the Cisco
Unity server. Complete the procedure described in Check IIS
Virtual Directories in order to determine if IIS is running on the Cisco
Unity server. If IIS is running, complete the procedure described in
Restart IIS.

When you log into Cisco Unity server through the SA web, you receive
this error:

Missing live session flag.
For some reason, /web/global.asa did not fire
Check that this file is present.
This problem could also be related to DNS issues.
Cannot continue.

This issue typically happens when you have a Domain Name System (DNS)
or network issue. If the system cannot resolve the name, it fails. When you use
the IP address, as long as the destination is up and reachable, it
works.

In order to resolve this issue, perform these tasks:

Make sure that the HOSTS and LMHOSTS files are properly updated in
the cluster, or you can have a DNS server configured with the hostname and IP
address of the server so that the server name is resolved properly. Refer to
Basic
DNS Troubleshooting for Cisco Unity Servers for more
information.

Check that cookies are enabled per session in the Intranet security
options.

Make sure that you do not try to launch the SA web page from your
favorites; enter the web address directly or delete your cookies and test
again.

Check if you have the correct configuration for your browser as
mentioned in the Browser Configuration
section of this document.

Log on with a different account, such as the Unity Install account,
or use the GrantUnityAccess tool to access the
SAWeb.

The cause of this problem might be a DCOM error on the
CuDohMgr.exe as CuDohMgr service provides access to the DOH
for clients such as Cisco Personal Communications Assistant and Cisco Unity
Administrator.

In order to resolve the issue, go to Start > Run,
type services.msc, locate the CuDohMgr
service, and restart it.

This problem occurred in large multiple system configurations and has
been fixed in Cisco bug ID
CSCdv77631
(registered customers only)
. The SA Subscriber page times out in a
large system during a wildcard find. This problem was fixed in Cisco Unity
4.0.2.

Also related is Cisco bug ID
CSCdv63261
(registered customers only)
where the SA page times out when you
attempt to add subscribers. This problem occurs on systems with a very large
number of Exchange users. When you press the plus (+) button in the Cisco Unity
System Admin console in order to add a new subscriber, the SA attempts to load
the Add Subscriber page, but returns this message after several time
outs:

This page cannot be displayed.

Note: You can use the Cisco Unity Import tool in order to import large
quantities of Exchange users.

In order to use the SA to add new subscribers, complete these steps in
order to change the ASP script time out value in
Windows:

Choose Start > Program Files > Administrative
Tools.

Launch the Internet Services
Manager.

In the IIS window, expand the
<servername>
folder.

Expand the Default Web Site
folder.

Right-click Web, and choose
Properties.

In the Virtual Directory tab, click
Configuration.

In the Application Options tab, change the ASP script time out
value from 90 seconds to 600 seconds.

Click OK twice.

Right-click the Default Web Site folder, and
choose Stop.

Right-click the Default Web Site folder, and
choose Start.

If a Unity SA session is currently open, close and restart the
browser.

When the user attempts to add new subscribers from Exchange accounts
that exist, the subscribers page of the Cisco Unity System Administrator web
interface returns a blank frame in the browser. This message appears on the top
frame, and the rest of the page might not load:

The Page cannot be displayed error.

Attempts to browse in the System Administration might result in an
Internet Explorer (IE) pop-up error. A service restart or reboot of the system
does not change the symptom.

In order to resolve this issue, complete these steps on the Cisco Unity
server.:

Run the Message Store Config Wizard through
...\CommServer\ConfigurationSetup\Setup.exe. Do not change any values
displayed in the wizard. The password for the Unity Installation and
Directory Services accounts is required in order to complete this step.

Note: This step stops the Cisco Unity services and makes the voicemail
system unavailable for 5-10 minutes.

After the Wizard finishes, open Windows Explorer to the directory of
the registry file that you saved in step 5.

Double-click the .rgs file.

Verify that System Administrator access to the Subscribers page now
functions properly.

Reboot the server, and verify that the access to the Subscribers page
functions properly.

After you change the account passwords on the Cisco Unity server, the
System Administration page opens fine, but, when you open the
Subscribers, Subscriber
Templates, Callhandlers, etc.,
you get this error message: "The Page Cannot be Displayed."

When you launch the System Administrator Web Page and click any link in
the Navigation panel, the title and the body frames appear blank. In addition,
Page Cannot Be found error might display in the title
frame.

This issue occurs in the following situations:

If you use failover secondary Unity server and you have shut down the
secondary server

If you ran the ipconfig /flushdns command on the
primary Unity server

In order to resolve this issue, you must manually add a DNS entry for
the secondary Unity server on the primary Unity server.

Certain Audio Messaging Interchange Specification (AMIS) and
Bridge-specific fields might silently fail to save if your Windows schema has
not been updated. The easiest thing to do to solve this case is to run the
Cisco Unity schema update utility and configure things as they should be for
your installation. Once this is done, you should check the utility and log in
order to determine if it did perform an update or if it determined it was not
necessary and quit. The utility is in the Cisco Unity install directory
(typically C:\CommServer) named ConfigMgr.exe.

When you experience issues with the web-based status monitor, the first
step is to get the SA running. Then, check that the Directory Security values
for the AvXml virtual directory match those for the Web Virtual Directories.

This may happen if the authentication settings are not configured
correctly in IIS. Make sure the authentication is configured correctly, and, in
IIS, the authentication settings for Web, SAWeb, Status and
StatusXml should all be the same. For example, if one is set to
Anonymous access, they should all be set to Anonymous access. Further, if one
is set to Integrated Windows, they should all be set to Integrated Windows
authentication.

The Cisco Unity Personal Communications Assistant (PCA) web interface
is an entirely separate product from the Cisco Unity SA web interface. The only
thing they share is the IIS interface on the Cisco Unity server.

Subscribers use the Cisco PCA to access the Cisco Unity Assistant. The
Cisco Unity Assistant is a website that gives subscribers the ability to
customize personal settings—including recorded greetings and message delivery
options—on their workstations.

Any Cisco Unity subscriber can access the Cisco PCA at
http://<Cisco Unity server>/ciscopca. (Note that the URL
is case-sensitive.) However, subscribers do require proper COS rights to the
Cisco Unity Assistant

Open the Unity SA web page and choose Subscribers
> Class of Service.

In the default Subscriber COS click on Licensed
Features and then check Cisco Unity PCA. Also verify
if the Cisco Unity inbox is checked.

Reinstall the PCA application and make sure that Tomcat
Service is listed in the Windows services.

Problem 2

While accessing the SA web page, the HTTP Status: 404
error appears.

In order to resolve this issue, make sure that Active Server Pages
option is enabled in IIS Manager. Complete these steps in order to enable the
Active Server Pages option (if it is prohibited):

Use the procedures described in this section if you attempt to access
the PCA and receive this error message:

Unable to Contact Server. Try Logging On Again in a Few
Minutes. If the Problem Persists, Contact Your Cisco Unity
Administrator

In order to resolve this issue, first make sure that the Cisco Unity
server has Cisco Unity Inbox subscribers under the licensing
Wizard, which is the required license feature necessary for use of the Cisco
PCA feature. Also ensure that Cisco Unity Inbox (Visual Messaging
Interface) is checked under Class of Service >
Features for those subscribers that require it.

After the appropriate licenses on the Cisco Unity server are ensured,
other possible reasons are these:

The Cisco Unity server may be down, or a network connection
has failed.

Verify that the Cisco Unity server is running and that all network
connections are functioning properly. Restart the Cisco Unity server, as
necessary.

In order to verify that the problem is caused by a Cisco Unity server
or a network failure, you can switch to an available failover Cisco Unity
server to see whether the same error message occurs on the failover server.
Alternatively, you can change the unityurl configuration
setting to point to a Cisco Unity server that is running, and then restart the
Tomcat service. The unityurl configuration setting can be
changed in the file: <param-value
id="unityurl"> and
</param-value> which is located in
CommServer\Cscoserv\Ciscopca\WEB-INF.

AvXml directory security might be set incorrectly in IIS;
Anonymous access might be disabled or secure connections might be
enabled.

In order to confirm that this is the problem, open the
ciscopca_log.txt, ciscopca_event_log.txt, or ciscopca_diags_log.txt file
located in the CommServer\Cscoserv\Tomcat\Logs
directory, and search for an IOException
message that states HTTP returned a code 401 or 403. If the message exists,
directory security is not set correctly in IIS.

Note: If you make any changes in the Active Directory, login into the
PCA, which can fail until the PCA gets in sync with the Active Directory. You
can force an Active Directory synchronization with the DOHProptest tool in read-only mode.

WEN-INF file has an Incorrect IP address.

One of the causes can be an incorrect IP address in the
WEN-INF file. On the Cisco Unity server, verify that the
"unityurl" setting in
CommServer\Cscoserv\Ciscopca\WEB-INF\Web.xml has the correct
IP address. Restart the Tomcat service after changing the IP
address.

Typically, you receive a "500-12" error at random, or if you have
disabled friendly HTTP errors, you receive a message about "restarting the
server." This cause of this problem is most likely McAfee Virus checker.

This problem is caused when the user does not have the proper
permissions. They can access the Unity Administration page, but are unable to
view the links. Verify that the user belongs to a class of service that has the
proper permissions.

Microsoft Internet Explorer include a series of options and
configuration settings that might affect Cisco Unity. The
Internet Explorer 6.0 Browser Settings
section describes the relevant settings. Note that all pertinent settings might
not be documented.

With this option disabled, you receive the An ActiveX
control on this page is not safe popup error when you enter any page
that contains the MM control. Notice the pink highlighted area in this image.
The MM area is blank at this stage, not even a border or broken image icon.

Internet Explorer (up to version 6 with Service Pack 1) has a problem
when you attempt to change the settings. For example, if you change a setting
on the Advanced page and then clicking OK or
Apply, Internet Explorer hangs.

The easiest way to resolve this issue is to stop (or kill) all Cisco
Unity processes, apply your Internet Explorer changes, and then restart the
Cisco Unity processes.

If you cannot stop the Cisco Unity process, compete these steps in
order to resolve this issue:

Note: This step opens the web page source in a text editor. This
procedures uses Notepad in order to demonstrate the steps required to view web
page source. The final web page source is not the same as the .asp files that
generate it. This step is necessary.

Once in Notepad, press Ctrl-G, and enter the error
line number in order to go directly to that line.

Note: The ability to go directly to the line number is a new feature in
Notepad for Windows 2000; it is not available in Windows NT4.

Note: Notepad cannot correctly calculate the line number if Word Wrap
is enable. View the Format menu in order to verify that Word Wrap is
disabled.

The SA might run under the Anonymous user;
however, the Anonymous user does not have sufficient privileges to write to the
Cisco error log. In order to resolve this problem, logging is done by proxy in
the CsGateway process.

If a problem exists with SA initialization before the SA has connected
to the Gateway process, the information is not logged through the Micro Traces
mechanism. For this reason, a crude text-based log mechanism is used.

Create a file named sa.method in the root directory of
the disk where Unity is installed (typically C: ). For example, go to a command
line and enter:

echo "hi there">C:\sa.method

Note: The sa.method file can be zero length.

Reproduce the error, and look for a file named
sa.log in the same directory as the sa.method file.

Note: You must delete these files when you are done because this log file
quickly becomes very large.

In each domain that expects to get to the Cisco Unity server, add a
HOST ("A") record with the Cisco Unity server name that points to the explicit
IP address of the Cisco Unity server. This implies routing must be configured
across those networks already.

If not, you need to make changes in this User Interface, as well as
in Start > Programs > Administrative Tools > Domain Security
Policy.

Also, if this is a standalone Cisco Unity (specifically if the
Unity server is also the domain controller), you might need to make changes in
Start > Programs > Administrative Tools > Domain Controller
Security Policy.

Double-click Security
Settings.

Double-click Local Policies.

Double-click User Rights
Assessment.

Find and double-click on Log on locally.

Note: Clear the temporary Internet files and delete the cookies from
Internet Explorer.

Open a command line, and change (cd) to
the Cisco Unity installation (typically C:\CommServer).

Enter net stop w3svc.

If this completes successfully, enter net start
w3svc.

When this completes, you are done.

If the 'net stop' completed with an error message, enter
\kill inetinfo, and wait about 30 seconds for the service
manager to notice and restart it. You can also choose Start >
Programs > Administrative Tools > Services and find
World Wide Web Publishing Service.

Use the Play (right triangle) button in the tool bar in order to
start and the Stop (black square) button in order to stop.

The Microsoft SDK provides an application named
depends that lists all the dependencies of a given DLL.
This tool is useful when you want to determine problems with SA startup. Note
that it is not shipped with Cisco Unity. Run it and browse to the suspicious
DLL (typically c:\CommServer\OrderedComms\AvSaDbConn.dll). The application
indicates a problem with a popup window, as well as in the "log" pane.

The new Cisco Unity error lookup site includes every event log message
that Cisco Unity 4.0(1) and later writes to the application event log, as well
as more information about definitions for these messages and how to
troubleshoot problems they may indicate.

In addition, the site includes a link to the
DOH error
lookup that you can use to look up DOH return codes that show up in many
of the event log messages. If you are looking for a non-Unity related event log
message, visit the EventID.net site.

This issue can be caused if the service or port is blocked by either
the firewall or Antivirus.

The solution is to disable the Antivirus or firewall from the Unity and
then try to record again. If it works, exclude the Unity access from the
respective Antivirus/firewall that runs on the Unity Server.